Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

I'm trying to control which users can use USB media (mass storage devices such as USB memory sticks and hard-drives) on Red Hat/ Centos 6.3 Linux. I would like something that is network wide, so a group permission based scheme would be preferred, e.g. where a user is put in a group and that gives them read-only or read-write access, etc.

I have been told that mediad can be used to manage this but I can't figure out how. I've also come across cgroup/ cgconfig but cannot figure that out either.

I would like something that is network wide, so a group permission based scheme would be preferred, e.g. where a user is put in a group and that gives them read-only or read-write access, etc.

There are three basic permission bits u-g-o: set the "read-only" group the lowest level 'o=4' doing this at the mount point:

chmod 764 making 'o' "others" as the universal "read-only" group.

Then create one group e.g. 'writergroup' who thereby has r-w permissions to the volume.

~# groupadd -g 1200 writergroup

~# chown -R root:writergroup 'mountpoint'
~# chmod 764 'mountpoint'

That should make "you" the owner, to have read, write, execute permissions;
The 'writergroup' members to have read-write permissions to the volume; and
The 'others' (regular users) only have the read permission but cannot write.

You can now ignore all users who only have read access to the volume, and choose few to whom you may grant writing access:

I have been told that mediad can be used to manage this but I can't figure out how. I've also come across cgroup/ cgconfig but cannot figure that out either.

Excuse me. "cgroup" is not a toy in the userland. It was a system recently introduced by Linux Kernel coders to improve resource management and process accounting by the kernel. It is the plaything of the masters, but not for us.

Quote:

How should I go about achieving this?

"The magic is in the magician; not in the wand." as I frequently enjoy reading it from someone's signature here. So, do it now and do it yourself. Manipulate the 3 permission bits.

Another trick: Set the previous case to chmod 740, create 'reader' group, chown the point as root:reader, by this only this group have access to it and only reading access; remount the same volume to another point and set it to be accessible exclusively by another group this time with different rights chmod it to 760. That way you have excluded 'others' (or regular users) from even reading the volume. Do not use " -R " switch as it will descend into the descendant folders and files. You have made the volume promiscuous, a security concern.

With the USB devices in question, I don't know where the mountpoint will be, as it is created on the fly based on the volume label of the media inserted, e.g. /media/MyUsbStick. I was considering applying your strategy in a udev rule but that kicks in before the mountpoint is known and the device then automounts with 700 permissions, owned by the logged in user.

I think this relates to automount but the auto.master man page doesn't help me figure out how to control the permissions of the mountpoint used.